Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #43

October 27, 2004

Attention readers who have recently earned CISSP certification from (ISC)2, or CISA certification from ISACA, or Security+ certification from CompTIA. If you attended an outstanding test preparation course (in any language), please introduce your instructor to us (email info@sans.org with subject Instructors). SANS is developing a huge new global initiative to expand access to effective courses for the three certification programs. The opportunity for wonderful teachers is very substantial.

TOP OF THE NEWS

Average Home User's PC Rife with Spyware, Weak on Security, Too (25 October 2004)

A survey from America Online and the National Cyber Security Alliance found that the average home user's PC is not as secure as its owner may think. The survey included an inspection of the computers belonging to 329 respondents. Despite the fact that 77% of the participants said they believed they were protected from security threats, two-thirds lacked the combined protection of current antivirus software and a firewall, though 85% do have anti-virus software installed. 72% used their computers to conduct sensitive personal business, such as banking or the transmission of medical information. The inspections of the computers found 80% contained multiple spyware programs, and 20% were infected with a virus. -http://www.usatoday.com/tech/news/2004-10-25-internet-security_x.htm-http://www.pcworld.com/resource/printable/article/0,aid,118311,00.asp-http://www.washingtonpost.com/ac2/wp-dyn/A60199-2004Oct25?language=printer (site requires free registration) [Editor's Note (Schultz): This survey shows that the recommendations for critical infrastructure protection concerning security among home users could not have been more correct. ]

User Education Is A Flawed Strategy For Protecting Computer Users From Internet Scams 925 October 2004)

One of the "Internet's foremost experts in Web usability" (according to Business Week) and the man who ranks number six on ZDNet's "The Web's Ten Most Influential People" calls for a change in policy to thwart Internet scams, saying, "User education is not the answer to security problems." Jakob Nielsen says a strategy relying on user education puts the burden on the wrong shoulders. The only real solution, according to Nielsen, is to make security a built-in feature of all computing elements -http://www.useit.com/alertbox/20041025.html[Editor's Note (Paller): Walt Mossberg of the Wall Street Journal said nearly the same thing a few months ago, calling on vendors like Microsoft to "stop blaming the users." A columnist in another national newspaper said called on users to get angry. The solution to this problem is entirely in the hands of governments and large users throughout the world. When they demand built-in security as a minimum qualification for bidding, vendors will fall al over each other to deliver safer systems to them. That will lead to smaller buyers finding safer systems for sale. ]

The Seoul (South Korea) Metropolitan Government has prohibited its employees from using Internet [instant ] messaging, chat services and "connections to harmful Internet sites" in order to guard against information leaks. ("protect internal information") -http://english.chosun.com/w21data/html/news/200410/200410220031.html[Editor's Note (Schultz): Like it or not, this is going to be increasingly commonplace in the future. The risks of allowing Internet messaging services generally outweigh the job-related advantages, and the risks are likely to keep growing. ]************************** SPONSORED LINKS ****************************** Privacy notice: These links redirect to non-SANS web pages.

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCING

53 Arrested in Brazilian Phishing Case (21 October 2004)

Brazilian police have arrested 53 people in four northern Brazilian states on phishing charges. In all, they allegedly stole US$30 million; one third of those arrested have been previously arrested for similar offenses. -http://www.vnunet.com/news/1158910[Editor's Note (Shpantzer): This and other hacking-for-profit stories in today's newsbites illustrate how cyberspace is affecting criminal behavior via expanded opportunity for mischief. Two years ago a law professor wrote a fascinating paper, describing how the internet would affect the evolution of organized crime as it discovers and exploits the internet. Terrific blend of history and criminology, as well as a sneak peak at possible future models for organized cybercrime. -http://www.jolt.unc.edu/Vol4_I1/Web/Brenner-V4I1.htm]

Man sentenced to 2 1/2 Years in Prison for Accessing Computer Systems without Authorization (19 October 2004)

Daniel Baas has been sentenced to 2 1/2 years in prison for breaking into business and law firm computer systems to access legal documents, financial data and other material that he copied for himself. Baas pleaded guilty to unauthorized computer access. Baas is also awaiting sentencing for his role in breaking into Acxiom Corp.'s computer system. -http://www.cincypost.com/2004/10/19/baas101904.html

12 Arrests Made in Hong Kong Phishing Scheme (18 October 2004)

Law enforcement officials have arrested 12 people in connection with a phishing scheme in Hong Kong that allegedly resulted in the loss of HK$600,000 (approximately US$77,000). Six of the suspects have been charged with theft and face sentences of up to 10 years in jail if they are convicted. -http://www.theregister.co.uk/2004/10/18/hk_phishing/print.html

LEGISLATION

Singapore Likely to Increase Penalties for Piracy (20 October 2004)

Singapore's parliament is considering amendments to the country's Copyright Act which would impose a maximum sentence of 6 months in jail and a fine of S$20,000 (US$12,000) for people convicted of Internet piracy for the first time. Repeat offenders would face three years in jail and fines of S$50,000 (US$30,000). The amendments are likely to pass in mid-November and become law on January 1, 2005. -http://australianit.news.com.au/common/print/0,7208,11127694%5E26199%5E%5Enbv%5E15306%2D15319,00.html[Editor's Note (Paller, Tan): Singapore is one of the countries that seriously enforces laws against piracy. The larger fines will make people think twice before sharing copyrighted music and other files. (Grefer): To put these numbers into perspective, the average household income in 2000 was around S$60,000 (US$36,000). ]

SPAM & PHISHING

Judge Issues Restraining Order Against Alleged Spammer (24 October 2004)

MISCELLANEOUS

Microsoft Revises SenderID, AOL Back On Board (26 October 2004)

Microsoft made modifications to Sender ID, its proposed e-mail authentication scheme, to make it work better with existing SPF records. It also narrowed its patent applications for the underlying technology in an effort to appease open-source critics. AOL immediately supported the initiative. -http://www.informationweek.com/story/showArticle.jhtml?articleID=51200627[Editor's Note (Paller): Sender ID is one of the vendor initiatives that may lead to a huge reduction in spam and phishing. If all the vendors work together on a single authentication scheme, their efforts can significantly reduce spam and phishing attacks. ]

Avoiding Log Analysis Mistakes (21 October 2004)

Some organizations may not be reaping the complete benefits of a log collection and analysis infrastructure due to five mistakes: failure to look at the logs, storing the logs for too short a period of time, failing to normalize logs, failure to prioritize log records and looking at only the bad things in logs. -http://www.computerworld.com/printthis/2004/0,4814,96587,00.html[Editor's Note (Schneier): Log analysis systems are only as good as the people doing the actual log analysis. You have two choices: hire those people to sit in front of the machines 24/7 yourself, or hire a Managed Security Monitoring company to do it for you. I think that eventually everyone will be doing the latter. ]

Talking to CEOs About Security (20 October 2004)

Larry Ponemon serves as a board member of the Security Leadership Institute, a think tank which recently talked with CEOs about their perception of the value of security to their enterprise. Ponemon offers some issues IT professionals can raise in meetings with CEOs that will engage their attention. -http://www.computerworld.com/printthis/2004/0,4814,96803,00.html

McAfee Awarded Patent for Malware Detection (20 October 2004)

McAfee has announced that it has been awarded US patent 6,775,780, "Detecting Malicious Software by Analyzing Patterns of System Calls Generated During Emulation." McAfee's director of Intellectual Property Chris Hamaty acknowledged that the patent is broad and is intended to protect the company's intellectual property and give them a competitive edge in the security software market. -http://www.internetnews.com/security/print.php/3424581[Editor's Note (Grefer): Not again! I had hoped we were past the stage of such attempts of overly broad patent applications. ]===end===

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/